XSS issues (unsanitized, and not-encoded post data appears in html output)

Below is the patch I made, which makes sufficient improvements so that sitelock does not detect any XSS issues.

I hope you will merge this (or similar) into future versions of this plugin.

Also, also I hope that you will do input sanitation on the rest of the fields in your forms.

diff --git a/wp_ultra_simple_shopping_cart.php b/wp_ultra_simple_shopping_cart.php
index bb39e12..42666c9 100644
--- a/wp_ultra_simple_shopping_cart.php
+++ b/wp_ultra_simple_shopping_cart.php
@@ -24,6 +24,32 @@ Domain Path: /languages/

 wp_enqueue_script('jquery');

+# utility functions for sanitizing and encoding data
+function jasonwoof_enc_html($str) {
+	$str = str_replace('&', '&', $str);
+	$str = str_replace('<', '<', $str);
+	$str = str_replace('>', '>', $str);
+	return $str;
+}
+function jasonwoof_enc_attr($str) {
+	$str = str_replace('&', '&', $str);
+	$str = str_replace('"', '"', $str);
+	return $str;
+}
+# sanitize an integer. return 1 if it's blank
+function jasonwoof_format_int_1($str) {
+	# remove all non-digits
+	$str = preg_replace('|[^0-9]|', '', $str);
+	# remove leading zeros (but not last digit)
+	$str = preg_replace('|^0*([0-9])|', '\1', $str);
+	# default to 1 (if there are no digits)
+	if($str == '') {
+		return '1';
+	}
+	return $str;
+}
+
+
 if(!isset($_SESSION)) {
 	session_start();
 }
@@ -116,7 +142,7 @@ if($_POST['addcart']) {
 		$product = array(
 			'name'			=> stripslashes($_POST['product']),
 			'price'			=> $price,
-			'quantity'		=> $_POST['quantity'],
+			'quantity'		=> jasonwoof_format_int_1($_POST['quantity']),
 			'shipping'		=> $_POST['shipping'],
 			'cartLink'		=> $_POST['cartLink'],
 			'item_number'	=> $_POST['item_number']
@@ -352,12 +378,12 @@ function print_wpus_shopping_cart( $step="paypal", $type="page") {
 					$product_thumbnail = "";
 				}

-				$cartProductDisplayLink = '<a href="'.$item['cartLink'].'">'.$product_thumbnail.$name.'</a>';
+				$cartProductDisplayLink = '<a href="'.jasonwoof_enc_attr($item['cartLink']).'">'.$product_thumbnail.jasonwoof_enc_html($name).'</a>';
 			} else {
 				$cartProductDisplayLink = $name;
 			}

-			$output_name .= "<input type=\"hidden\" name=\"product\" value=\"".$name."\" >";
+			$output_name .= "<input type=\"hidden\" name=\"product\" value=\"".jasonwoof_enc_attr($name)."\" >";

 			$output .= "
 			<tr id=\"cartcontent\" class=\"cartcontent\">
@@ -366,13 +392,13 @@ function print_wpus_shopping_cart( $step="paypal", $type="page") {
 					<form method=\"post\"  action=\"\" name='pcquantity' style='display: inline'>
 					".$output_name."
 					<input type=\"hidden\" name=\"cquantity\" value=\"1\" >
-					<input class=\"iquantity\" type=\"text\" name=\"quantity\" value=\"".$item['quantity']."\" size=\"1\"  onchange=\"this.form.submit();\" ><input class=\"pinfo\" type=\"image\" title=\"Reload\" value=\"Reload\" src=\"".WUSPSC_CART_URL."/images/Shoppingcart_reload.png\">
+					<input class=\"iquantity\" type=\"text\" name=\"quantity\" value=\"".jasonwoof_enc_attr($item['quantity'])."\" size=\"1\"  onchange=\"this.form.submit();\" ><input class=\"pinfo\" type=\"image\" title=\"Reload\" value=\"Reload\" src=\"".WUSPSC_CART_URL."/images/Shoppingcart_reload.png\">
 					</form>
 				</td>
 				<td class=\"left\">".print_payment_currency(($price * $item['quantity']), $paypal_symbol, $decimal, get_option('cart_currency_symbol_order'))."</td>
 				<td>
 					<form method=\"post\"  action=\"\">
-					<input type=\"hidden\" name=\"product\" value=\"".$item['name']."\" >
+					<input type=\"hidden\" name=\"product\" value=\"".jasonwoof_enc_attr($item['name'])."\" >
 					<input type='hidden' name='delcart' value='1' >
 					<input class=\"remove\" type=\"image\" src='".WUSPSC_CART_URL."/images/Shoppingcart_delete.png' value='".get_option('remove_text')."' title='".get_option('remove_text')."' >
 					</form>
@@ -381,16 +407,16 @@ function print_wpus_shopping_cart( $step="paypal", $type="page") {
 			";

 			$form .= "
-				<input type=\"hidden\" name=\"item_name_{$count}\" value=\"{$name}\" >
-				<input type=\"hidden\" name=\"amount_{$count}\" value='{$price}' >
-				<input type=\"hidden\" name=\"quantity_{$count}\" value=\"{$item['quantity']}\" >
-				<input type=\"hidden\" name=\"amount_{$count}\" value=\"{$price}\" >
-				<input type='hidden' name='item_number' value='".$item['item_number']."' >
+				<input type=\"hidden\" name=\"item_name_{$count}\" value=\"".jasonwoof_enc_attr($name)."\" >
+				<input type=\"hidden\" name=\"amount_{$count}\" value='".jasonwoof_enc_attr($price)."' >
+				<input type=\"hidden\" name=\"quantity_{$count}\" value=\"".jasonwoof_enc_attr($item['quantity'])."\" >
+				<input type=\"hidden\" name=\"amount_{$count}\" value=\"".jasonwoof_enc_attr($price)."\" >
+				<input type='hidden' name='item_number' value='".jasonwoof_enc_attr($item['item_number'])."' >
 			";

 			$item_tax = (!empty($display_vat) && is_numeric($display_vat) )? round(($price * $display_vat) / 100, 2) : 0 ;
 			if(!empty($item_tax)){
-				$form .= "<input type=\"hidden\" name=\"tax_{$count}\"  value=\"{$item_tax}\">";
+				$form .= "<input type=\"hidden\" name=\"tax_{$count}\"  value=\"".jasonwoof_enc_attr($item_tax)."\">";
 				$total_vat = $total_vat + ( $item_tax * $item['quantity'] );
 			}

@@ -399,7 +425,7 @@ function print_wpus_shopping_cart( $step="paypal", $type="page") {

 		if(!get_option('wpus_shopping_cart_use_profile_shipping')) {
 			$postage_cost = number_format($postage_cost,2);
-			$form .= "<input type=\"hidden\" name=\"shipping_1\" value='".$postage_cost."' >";
+			$form .= "<input type=\"hidden\" name=\"shipping_1\" value='".jasonwoof_enc_attr($postage_cost)."' >";
 		}

 		if(get_option('wpus_shopping_cart_collect_address')) {//force address collection
@@ -499,7 +525,7 @@ function print_wpus_shopping_cart( $step="paypal", $type="page") {
 			  	// all data sent to paypal
 			  	$output .= $urls.'<input type="hidden" name="business" value="'.$email.'"><input type="hidden" name="currency_code" value="'.$paypal_currency.'"><input type="hidden" name="cmd" value="_cart"><input type="hidden" name="upload" value="1"><input type="hidden" name="rm" value="2"><input type="hidden" name="mrb" value="DKBDRZGU62JYC"><input type="hidden" name="bn" value="UltraProdSAS_SI_ADHOC">';

-				if(!empty($vat)) $output .= '<input type="hidden" name="tax_cart" value="'.$total_vat.'" >';
+				if(!empty($vat)) $output .= '<input type="hidden" name="tax_cart" value="'.jasonwoof_enc_attr($total_vat).'" >';

 				if($use_affiliate_platform) {
 					$output .= wp_cart_add_custom_field();
@@ -859,4 +885,4 @@ add_shortcode('always_show_wpus_shopping_cart', 'us_always_show_cart_handler');
 add_action('wp_head', 'wp_cart_add_read_form_javascript');

-?>
\ No newline at end of file
+?>

I did some work on this plugin, trying to fix all XSS issues. I succeeded in making sitelock happy. Here’s my patch:

https://jasonwoof.com/downloads/xss-fixes-for-wpuspsc.patch

I release all copyright claims to this work. Do what you want with it, CC0, etc.

I hope you will merge this (or similar) into future versions of this plugin.

Also, also I hope that you will do input sanitation on the rest of the fields in your forms. The price field makes me particularly nervous.

Hi JasonWoof, any improvement is interested, even if I think this is not a big deal to simply not allow the paypal sell. Anyway I’ll add you patch in the next release after a review. Thanks for your support and help

I forgot, you can propose patch online using github repo : https://github.com/Ultra-Prod/wp-ultra-simple-paypal-shopping-cart

Thanks